Ethereal-users: Re: [Ethereal-users] Filter Question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Dinkar Bhat <dbhat@xxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Oct 2003 14:08:48 -0400
So it implies that one can't write a filter for capturing whole UDP packets of size > MTU

Dinkar.

Guy Harris wrote:
Dinkar Bhat said:
  
\How do I write a filter to obtain *all fragments* of IP packets for a
certain host *and* port, and all unfragmented packets for the same host
and port ?
    
It's impossible to write a capture filter that will do that, because
capture filters do not preserve any state between packets (the BPF engine
in various OSes that implements them does not support state of that sort),
and because only one fragment contains a given port number field).

Display filters don't support that, either, as the TCP/UDP/etc. headers
are shown only in the reassembled packet, which is constructed only for
the last frame of a reassembled IP packet.